- Added ec2lm_set_dns() function to EC2LM

- Added EC2LM support for ubuntu_18_cis ami type - Fixed CodeDeploy agent install on CIS hardened imges. - Fixed external resource support to Route53 HostedZones
waterbear-cloud · Oct 21, 2021 · ab14938 · ab14938
1 parent 588fa4a
commit ab14938
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 10 deletions.
diff --git a/src/paco/application/ec2_launch_manager.py b/src/paco/application/ec2_launch_manager.py
@@ -561,6 +561,30 @@ def init_ec2lm_function(self, ec2lm_bucket_name, resource, stack_name):
     {ec2lm_commands.user_data_script['install_package'][resource.instance_ami_type_generic]} $1
 }}
 
+# Set EC2 DNS
+function ec2lm_set_dns() {{
+    INSTANCE_HOSTNAME="$(curl http://169.254.169.254/latest/meta-data/hostname)"
+    RECORD_SET_FILE=/tmp/internal_record_set.json
+    DOMAIN=$1
+    HOSTED_ZONE_ID=$2
+    cat << EOF >$RECORD_SET_FILE
+{{
+"Comment": "API Server",
+"Changes": [ {{
+    "Action": "UPSERT",
+    "ResourceRecordSet": {{
+        "Name": "$DOMAIN",
+        "Type": "CNAME",
+        "TTL": 60,
+        "ResourceRecords": [ {{
+            "Value": "$INSTANCE_HOSTNAME"
+        }} ]
+    }}
+}} ]
+}}
+EOF
+    aws route53 change-resource-record-sets --hosted-zone-id $HOSTED_ZONE_ID --change-batch file://$RECORD_SET_FILE
+}}
 """
         if resource.secrets != None and len(resource.secrets) > 0:
             self.ec2lm_functions_script[ec2lm_bucket_name] += self.add_secrets_function_policy(resource)
@@ -689,7 +713,7 @@ def user_data_script(self, resource, stack_name):
                 print("'ec2lm_signal_asg_resource <SUCCESS|FAILURE>' was not detected in your user_data_script for this resource.")
 
         # Newer Ubuntu (>20) does not have Python 2
-        if resource.instance_ami_type in ('ubuntu_20', 'amazon_ecs'):
+        if resource.instance_ami_type in ('ubuntu_20', 'amazon_ecs', 'ubuntu_18', 'ubuntu_18_cis'):
             install_aws_cli = ec2lm_commands.user_data_script['install_aws_cli'][resource.instance_ami_type]
         else:
             install_aws_cli = ec2lm_commands.user_data_script['install_aws_cli'][resource.instance_ami_type_generic]
@@ -1722,7 +1746,7 @@ def lb_add_ssm(self, bundle_name, resource):
             agent_config = ec2lm_commands.ssm_agent[resource.instance_ami_type]
             agent_install = agent_config["install"]
             agent_object = agent_config["object"]
-            if resource.instance_ami_type not in ('ubuntu_16_snap', 'ubuntu_18', 'ubuntu_20'):            # use regional URL for faster download
+            if resource.instance_ami_type not in ('ubuntu_16_snap', 'ubuntu_18', 'ubuntu_18_cis', 'ubuntu_20'):            # use regional URL for faster download
                 if self.aws_region in ec2lm_commands.ssm_regions:
                     download_url = f'https://s3.{self.aws_region}.amazonaws.com/amazon-ssm-{self.aws_region}/latest'
                 else:
@@ -2142,7 +2166,8 @@ def lb_add_codedeploy(self, bundle_name, resource):
     # Load EC2 Launch Manager helper functions
     . {self.paco_base_path}/EC2Manager/ec2lm_functions.bash
 
-    cd /tmp/
+    mkdir -p /root/tmp
+    cd /root/tmp/
     ec2lm_install_wget
     ec2lm_install_package ruby
     # Stopping the current agent

diff --git a/src/paco/application/ec2lm_commands.py b/src/paco/application/ec2lm_commands.py
@@ -35,16 +35,20 @@
 		'ubuntu': """apt-get update
 apt-get -y install python-pip
 pip install awscli
+""",
+		'ubuntu_18': """apt-get update
+apt-get -y install python-pip
+pip install awscli
+""",
+		'ubuntu_18_cis': """apt-get update
+apt-get -y install python-pip
+pip install awscli
+chmod a+x /usr/local/bin/aws
 """,
 		'ubuntu_20': """apt-get update
 apt-get -y install python3-pip
 apt install awscli -y
 """,
-#		'ubuntu_20': """apt-get update
-#apt-get -y install python3-pip
-#pip3 install awscli
-#apt install awscli -y
-#""",
 		'centos': 'ec2lm_pip install awscli'
 	},
 	'install_wget': {
@@ -196,6 +200,11 @@
         "object": "amazon-ssm-agent",
         "install": "snap install --classic"
     },
+    "ubuntu_18_cis": {
+        "path": "/debian_amd64",
+        "object": "amazon-ssm-agent",
+        "install": "snap install --classic"
+    },
     "ubuntu": {
         "path": "/debian_amd64",
         "object": "amazon-ssm-agent.deb",

diff --git a/src/paco/cftemplates/route53_hostedzone.py b/src/paco/cftemplates/route53_hostedzone.py
@@ -82,10 +82,16 @@ def __init__(self, stack, paco_ctx):
                 record_set_res = troposphere.route53.RecordSet(**record_set_dict)
                 record_set_list.append(record_set_res)
 
+            if zone_config.external_resource != None and zone_config.external_resource.is_enabled():
+                hosted_zone_id = zone_config.external_resource.hosted_zone_id
+            else:
+                hosted_zone_id = troposphere.Ref(hosted_zone_res)
+
             group_res = troposphere.route53.RecordSetGroup(
                 title='RecordSetGroup',
                 template=self.template,
-                HostedZoneId=troposphere.Ref(hosted_zone_res),
+                HostedZoneId=hosted_zone_id,
                 RecordSets=record_set_list
             )
-            group_res.DependsOn = hosted_zone_res
+            if zone_config.external_resource == None or zone_config.external_resource.is_enabled() == False:
+                group_res.DependsOn = hosted_zone_res